ZooPark and Watering Hole Attacks

Another day, another oddly named malware attack.

Last week, researchers from Kaspersky disclosed that they had uncovered a highly sophisticated android malware strain, capable of stealing huge swaths of data. The variant, dubbed ZooPark, is pretty much “game over” for the infected device.

State-Sponsored Malware?

ZooPark been targeting devices in Middle East countries including Egypt, Morocco, Iran, Jordan and Lebanon. Thus far, the exploit has all the markings of a state-sponsored malware and has gone through many iterations to get to the level of sophistication is has today. 

In its first iteration, it was merely capable of exfiltrating contacts. Next, its developers added the ability to steal call logs, locations, text messages and device information. Then they added in the ability to steal call records, clipboard data, files and folders, browser data and history and pictures. This final iteration essentially gives the malware creators access to everything contained on the infected device.

Experts from Kaspersky say that this last stage of development is especially noteworthy. These full-throttle advances seem to imply that the variant is being used for specific surveillance purposes, which shouldn’t come as any big shock considering that the governments of the targeted countries are increasingly turning to surveillance tools to keep tabs on dissenters.

The malware has been caught spreading in one of two ways; The first is via malicious links on apps like Telegram. We’ll spare you the deets on the perils of clicking links. We’ve already gone through that lots of times and by now you should know how dangerous it can be to click links from untrusted sources.

Heck, even clicking links from trusted sources can get you into a world of trouble. But more about that in another post.

The other method being used to spread ZooPark is via watering holes.

So What’s a Watering Hole?

Remember back to that National Geographic special where the big bad crocodile lures a bunch of unsuspecting baby elephants into her muddy pond? Regardless of whether you tossed your cookies or wanted a replay, this is a typical watering hole attack in the wild.

When it comes to digital watering hole attacks, the execution is much the same (though you surely won’t want a replay). An attacker sets his or her sights on a specific website, generally one that is popular among a certain high-value group, injects it with some malware and lies in wait. Eventually, some or all of the intended victims show up and get infected with information-stealing malware.

Just how attackers decide where to place their malware is interesting in-and-of-itself. An attacker can’t really simply place malware on just any ‘ol website and wait for its intended victims to show up at the party. It needs to identify websites commonly visited by the intended victims that also contain certain vulnerabilities which allow it to be easily corrupted with malware. Popular websites usually have pretty decent security measures in place, so attackers have to do some homework to understand where their intended victims are surfing and then locate the less-secure ones. 

Once attackers have narrowed down the sites they want to use as their attack platform, they scan said websites for vulnerabilities. Then when they find something they can exploit, they inject malicious code into it and wait around for the victims to come to them. When a visitor lands on the compromised site, if their machine has certain weaknesses due to improper patching or updating, the malicious code is then injected onto their machine. From there, it can make its way onto the compromised machine’s network.

In the case of ZooPark, the compromised sites were mostly of the  Arabic-language news variety. This only helps reinforce the theory that ZooPark is really a highly specialized surveillance tool targeting people whom oppressive regimes may want to silence. This means that you probably don’t need to worry about this specific threat.

Avoiding Watering Hole Attacks 

What it doesn’t mean is that you needn’t worry about watering hole attacks in general. It’s an ever-growing threat so you certainly do. Just because you’re not a political dissenter or a journalist trying to shed light on to government-implemented atrocities doesn’t mean that no one is interested in spying on you.

You can protect your personal digital assets by ensuring that all your software and your OS are always properly updated and patched. A comprehensive anti-malware suite like Reason Core Security will also alert you to the presence of any dangerous code running on websites you visit.

Corporate environments tend to be higher value, and therefore higher risk, so more defenses need to be implemented. These defenses include the above pointers, as well as inspecting for malicious code on commonly visited websites on a regular basis, ensuring that firewalls are properly configured and monitoring all inbound and outbound traffic.

This is a threat that’s easy and effective so you can bet it’s not going away any time soon. Make sure you know how to best defend your assets.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s